Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

judgecorp writes "Nokia has admitted that it routinely decrypts user's HTTPS traffic, but says it is only doing it so it can compress it to improve speed. That doesn't convince security researcher Gaurang Pandya, who accuses the company of spying on customers."
From the article, Nokia says: "'Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner. ... Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.'"

judgecorp writes "British Members of Parliament have warned that the UK's cyber warfare strategy is getting it wrong. According to a defense committee report, the country's IT security forces are inadequately prepared for a cyber attack, rely too heavily on inadequately protected systems, and do not sufficiently appreciate the difficulty of attributing the source of an attack."

mask.of.sanity writes "Researchers have examined writing styles to identify previously anonymous carders and hackers operating on underground forums. Up to 80 percent of users who wrote at least 5000 words across their posts could be identified using linguistic techniques. Techniques such as stylometric analysis were used to track users who posted across different forums, and could even be used to unveil authors of thesis papers or blogs who had taken to underground networks."

New submitter uCallHimDrJ0NES writes "Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"

Spy Handler writes "A software update of the California welfare computer system (CalWIN) caused 37,000 Food Stamp recipients to lose their EBT (a credit card paid for by the government) benefits last weekend. According to the article, Hewlett Packard was responsible for the failed update of CalWIN, but at 8:00 a.m. today Xerox (who administers another state welfare system called CalFresh) issued a patch that reactivated the EBT cards."

chicksdaddy writes "A security researcher who was looking for vulnerabilities in Facebook's platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion. Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he discovered the password reset vulnerability while analyzing a Accellion deployment that is used, internally, by Facebook employees. Goldshlager used public knowledge of the Accellion platform to access a hidden account creation page for the Facebook deployment and create a new Facebook/Accellion account linked to his e-mail address. After analyzing Accellion's password reset feature, he realized that — with that valid account — he could reset the password of any other Facebook/Accellion user with some cutting and pasting and a simple HTTP POST request, provided he knew the user's login e-mail address — effectively hijacking the account. Goldshlager said he informed Facebook and that the hole has been patched by Facebook and Accellion. However, other Accellion customers using private cloud deployments of the product could still be vulnerable."

New submitter Fnordulicious writes "Although Canada's anti-spam legislation is already in place, the rules to implement it have been under development for more than a year. This weekend the proposed rules from the Department of Industry were published in the Canada Gazette. Kady O'Malley reports on the CBC Inside Politics Blog that Canadian ISPs will not be allowed to secretly monitor activity except in the case that the activity is illegal and represents an 'imminent risk to the security of its network.' In addition, consent would be required for monitoring of legal activities 'that are merely unauthorized or suspicious.'"

CowboyRobot writes with news about a federal initiative to support federated authentication for government services. From the article: "The U.S. Postal Service will be the guinea pig for a White House-led effort to accelerate government adoption of technologies that allow federal agencies to accept third-party identity credentials for online services. The program involves using services ... through standards like OpenID rather than requiring users to create government usernames and passwords. ... The federated identity effort, known as the Federal Cloud Credential Exchange, is just one piece of a broader Obama administration online identity initiative: the National Strategy for Trusted Identities in Cyberspace (NSTIC), which aims to catalyze private sector-led development of a secure, digital 'identity ecosystem' to better protect identities online. ... The Postal Service pilot is but one of several different pilots that are part of NSTIC. There are also three cryptography pilots and two non-cryptographic privacy pilots in the works. Each of those pilots is being carried out by multiple private sector organizations ranging from the Virginia Department of Motor Vehicles to AOL to AARP to Aetna."

Qedward writes "Software developed by the FBI and Ernst & Young has revealed the most common words used in email conversations among employees engaged in corporate fraud. The software, which was developed using the knowledge gained from real life corporate fraud investigations, pinpoints and tracks common fraud phrases like 'cover up,' write off,' 'failed investment,' 'off the books,' 'nobody will find out' and 'grey area'. Expressions such as 'special fees' and 'friendly payments' are most common in bribery cases, while fears of getting caught are shown in phrases such as 'no inspection' and 'do not volunteer information.'"

This video is an interview with Matt Heusser, who makes a good living as an independent IT consultant. He says many other people who are currently pounding out code or performing other routine computer-oriented tasks can become independent, too. He's not selling a course or anything here, just passing on some advice to fellow Slashdot readers. He's written up some of this advice in a series of four articles: Getting People to Throw Money At You; How to become IT Talent; That Last Step to Become ‘Talent’ In IT; and The Schwan’s Solution. He also gave a speech last November titled Building your reputation through creative disobedience. (The link is to a 50 minute video of that speech.) Anyway, we figure quite a few Slashdot readers are at least as smart as Matt and may want to take some career steps similar to the ones he has taken. In today's video, he gives you some ideas about how to stop being an IT worker and how to become IT talent instead.

First time accepted submitter msamp writes "After the dotcom bubble burst so long ago,when tech jobs were so scarce, I went back to school and finished my PhD in Physics. They lied — there really is no shortage of scientists. Before the downturn I was a product manager for home networking equipment. Since getting the degree I have been program/project manager for small DoD and NASA instrumentation programs. I desperately want back into network equipment product management, but my networking tech skills aren't up to date. I find networking technology absolutely trivial and have been retraining on my own, but hiring managers see the gap and the PhD and run screaming. I'm more than willing to start over in network admin but can't even get considered for that. Suggestions?"

Probably -- if the device I want supports itProbably -- if it works as promisedProbably -- credit cards will be like checks in another decadeNot sure -- no strong opinions either wayDoubtful -- not a useful technology to meDoubtful -- it will be too fragmentedDoubtful -- privacy/security concernsDoes throwing my spare change at the cashier count as mobile?